CVE-2026-0300
PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
Description
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
In plain language
AI Act nowCVE-2026-0300 is a critical, likely-to-be-exploited flaw in the PAN-OS User-ID™ (Captive/Captive) Authentication Portal that could let an unauthenticated attacker run code as root on affected Palo Alto Networks firewalls—if you run one of those affected PAN-OS appliances, act now.
What to do
- Check with your IT/network admin whether your PA-Series or VM-Series running PAN-OS has the User-ID™ Authentication Portal (Captive Portal) exposed to networks beyond your trusted internal IPs.
- Patch immediately to the fixed PAN-OS version(s) your vendor provides for CVE-2026-0300.
- If you can’t patch immediately, restrict access to the User-ID™ Authentication Portal to only trusted internal IP addresses per Palo Alto Networks best practices.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsAttack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- Июньский «В тренде VM»: уязвимости ядра Linux, Microsoft Defender и устройств Palo Alto Networksru·Хабр — Информационная безопасность· Summary only·
- Топ самых интересных CVE за май 2026 годаru·Хабр — Информационная безопасность·
- В фокусе RVD: трендовые уязвимости маяru·Хабр — Информационная безопасность· Summary only·
- CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OSen·Rapid7 Blog·
- 11th May – Threat Intelligence Reporten-us·Check Point Research·
- Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Executionen-us·Palo Alto Unit 42·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-0300 and every CVE in our database. Create a free account — no credit card required.
Create Free Account